Wednesday, April 23, 2014

How to Filter SharePoint People Picker to Increase Extranet Security

You
have successfully configured your secure extranet (using Extranet CollaborationManager (ExCM)) ensuring
that all permissions were set correctly and even configuring separate "roles" to
keep your external users from being added to SharePoint Groups. Now, there is
no way that an external user can gain access to anything they are not supposed
to see, right? Wrong!

If
Samantha from your Human Resources Department needs to add Bobby Jones,
from her Marketing Department, to a document and she uses the SharePoint People
Picker to find the name, that external user could still show up and be given permissions to the "internal eyes
only" report. See the image below displaying both the intended internal
Bobby Jones and the external Bobby@acme.com

Or,
say you are utilizing the Site Sponsor feature of
ExCM and your external business partner uses the People Picker to look for
additional users to make Site Sponsors in their organization. The business
partner will not only see users they have access to manage, but they
will also be able to see all the users that People Picker can see... internal
AD users as well as other external users.

This seems like a flaw in SharePoint's People Picker.

However,
People Picker was built this way for good reason: to ensure that it returns the
right results for you. It looks everywhere to ensure that it gets the most results when
you need it to find someone, bypassing all security measures you had in place, in an extranet
scenario using forms-based authentication for external users.

I
will walk you through the steps used to apply this filter, but be sure to read
the important note at the end as this may not be exactly
the solution you are looking for.

So what is the best way to ensure that your extranet
users never see any users listed anywhere in SharePoint other than users from
their organization and your internal users that are collaborating with them?

Answer: First, create separate Site Collections for
each external business partner organization.Second, use the “stsadm setproperty” command to force People Picker to
pick only from users in the current Site Collection.

According to the article mentioned above, you can
force People Picker to only return users who have permissions in the current Site
Collection by using either the PeoplePicker-Peopleeditoronlyresolvewithinsitecollection
property or the PeoplePicker-Onlysearchwithinsitecollection property.

The property you use to configure this restriction
will depend on whether you want to set the restriction for the text box (called
the “People Editor”) and Check Names button, or for the Select People and
Groups dialog box. Both are covered in this article.

The
first thing we need to do is open a cmd prompt and change directory to the “Common
Files\Microsoft Shared\Web Server Extensions\15\bin” directory as seen here:

Next, we will use the “getproperty” command of stsadm to see if the filter is currently
turned on. (Note: if you have built your SharePoint farm and never adjusted this
filter, then chances are you can skip this step, though not many of us are as
lucky as you and have instead inherited our environments and must check these
things. J)

From
the results we can see that the "only search within site collection"
filter does exist, but the value is set to "no" so it is not turned
on. In my
test environment, Bobby Jones is an AD user and Sally@acme.com is an
external user. If I log into my secure extranet as Sally and add a site
sponsor, and I type Bobby into the People Picker field, it will return Bobby
Jones from my AD. This is not the desired result, as I do not want my external
users to be able to see or select my internal AD users who do not have
permissions in the current Site Collection.

To force People Picker to only return users who
have permissions in the Site Collection when the Select People and
Groups dialog box is used, type the following command:

Now, if we run the “getproperty” command again, we should see the value has changed to
"yes":

If we go back and look for Bobby in my AD from
People Picker, we'll see different results. He still shows up if I
type his name into the People Editor text box and click the Check Names button;
however, he will not show up when the Select People and Groups button and dialog is used:

We’ve made progress! J

Now we need to finish the job by restricting the People Editor text box and the Check Names button.

To force People Picker to only return users who
have permissions in the Site Collection when the Check Names
button is clicked, type the following command:

Now, if I type the username Bobby into my People Editor text box, and hit enter (which
is equivalent to clicking Check Names),
I will get:

* IMPORTANT NOTE * Once you apply these filters, you will not be able to use People
Picker to find new users to give permissions to the Site Collection.
If you are configuring People Picker for use in an extranet scenario with ExCM,
you will need to ensure that you have an ExCM Security Policy setting
configured for the Site Collection that automatically adds all new invited
external users to the Visitors SharePoint Group. (or any SharePoint Group that
you wish) Adding external users to SQLMembershipProvider
Roles will not work in this scenario as users added to Roles only, will not allow them to
show up in People Picker even though their Role may have been given permissions
to the Site Collection.

What if you set all of this up and then determine
that it does not work exactly like you need it to?Can you set it back to the out-of-the-box
configuration?

Yes. To remove the People Picker filter(s),
place open quotes (" ") in the -pv switch

There
are many more filters that you can apply to fit your environment, and I would
welcome any reader to post a comment on how these filters have been used by
you, or your organization, and how they have helped or hindered your situation.